Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Tighten the default rate limit of creating new devices. (#15135)
Browse files Browse the repository at this point in the history
  • Loading branch information
clokep authored Feb 22, 2023
1 parent 6def779 commit 4ed08ff
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 5 deletions.
1 change: 1 addition & 0 deletions changelog.d/15135.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Tighten the login ratelimit defaults.
6 changes: 3 additions & 3 deletions docs/usage/configuration/config_documentation.md
Original file line number Diff line number Diff line change
Expand Up @@ -1518,11 +1518,11 @@ rc_registration_token_validity:

This option specifies several limits for login:
* `address` ratelimits login requests based on the client's IP
address. Defaults to `per_second: 0.17`, `burst_count: 3`.
address. Defaults to `per_second: 0.003`, `burst_count: 5`.

* `account` ratelimits login requests based on the account the
client is attempting to log into. Defaults to `per_second: 0.17`,
`burst_count: 3`.
client is attempting to log into. Defaults to `per_second: 0.03`,
`burst_count: 5`.

* `failed_attempts` ratelimits login requests based on the account the
client is attempting to log into, based on the amount of failed login
Expand Down
13 changes: 11 additions & 2 deletions synapse/config/ratelimiting.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,18 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
defaults={"per_second": 0.1, "burst_count": 5},
)

# It is reasonable to login with a bunch of devices at once (i.e. when
# setting up an account), but it is *not* valid to continually be
# logging into new devices.
rc_login_config = config.get("rc_login", {})
self.rc_login_address = RatelimitSettings(rc_login_config.get("address", {}))
self.rc_login_account = RatelimitSettings(rc_login_config.get("account", {}))
self.rc_login_address = RatelimitSettings(
rc_login_config.get("address", {}),
defaults={"per_second": 0.003, "burst_count": 5},
)
self.rc_login_account = RatelimitSettings(
rc_login_config.get("account", {}),
defaults={"per_second": 0.003, "burst_count": 5},
)
self.rc_login_failed_attempts = RatelimitSettings(
rc_login_config.get("failed_attempts", {})
)
Expand Down

0 comments on commit 4ed08ff

Please sign in to comment.